179
Chapter 4
Configuring and Managing a
Terminal Services Infrastructure
This chapter moves beyond the topic of deploying a terminal server and discusses how to con-
figure the components that comprise an entire Terminal Services infrastructure—clients, serv-
ers, gateways, and applications.
Even more than other Microsoft Windows Server technologies, Terminal Services components
are best understood by working with them directly. With this idea in mind, be sure to perform
the extensive practices at the end of each lesson to develop the skills you need for both the
exam and the real world.
Exam objectives in this chapter:
Q Configuring Terminal Services
T Configure Terminal Services client connections.
T Configure Terminal Services Gateway.
T Configure Windows Server 2008 Terminal Services RemoteApp (TS RemoteApp).
T Configure and monitor Terminal Services resources.
Lessons in this chapter:
Q Lesson 1: Configuring and Managing Terminal Services Clients . . . . . . . . . . . . . . . . .181
Q Lesson 2: Deploying Terminal Services Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Q Lesson 3: Publishing Applications with TS RemoteApp . . . . . . . . . . . . . . . . . . . . . . . . .217
180 Chapter 4 Configuring and Managing a Terminal Services Infrastructure
Before You Begin
To complete the lessons in this chapter, you must have:
Q A computer running Windows Server 2008 named Server1 that is a domain controller in
a domain named Contoso.com.
Q A computer running Windows Server 2008 named Server2 that is a member server in
the Contoso.com domain. On Server2, the Terminal Server role service is installed, but
no other role services in the Terminal Services role are installed.
Q Three domain administrator accounts, named ContosoAdmin1, ContosoAdmin2, and
ContosoAdmin3.

Real World
JC Mackin
Virtualization is a big IT trend these days, and Terminal Services represents a part of
this trend by offering what has been called presentation virtualization. Anything related
to virtualization sounds like a cool thing today, but what’s the actual purpose of this
technology? What problem is it trying to fix?
Beyond the hype, a real-world benefit of a presentation virtualization is its ability to assist
in server consolidation. Recently, many IT departments have started to consolidate their
application servers with a view to improving efficiency and lowering costs. Server con-
solidation is essentially the process of centralizing the resources of many servers onto as
few physical servers as possible. Terminal Services is a key component of such an appli-
cation consolidation strategy because it enables many users to access many applications
on a single server.
Lesson 1: Configuring and Managing Terminal Services Clients 181
Lesson 1: Configuring and Managing Terminal Services
Clients
A Terminal Services (TS) infrastructure includes many areas for client configuration, areas
such as user profiles, client session options, resource allocation, and the TS client program
(Mstsc) itself.
This lesson introduces you to tools you can use to administer these and other aspects of TS cli-
ents connections.
After this lesson, you will be able to:
Q Understand the configuration options available in Remote Desktop Connection.
Q Manage connections to Terminal Services.
Estimated lesson time: 50 minutes
Configuring Terminal Services Client Settings
The Terminal Services client, Remote Desktop Connection (RDC), is highly configurable. For
example, you can configure the client to display remote desktops with a certain screen resolu-
tion or to make certain local drives available in the session. These features can be configured
in the client application itself or at the domain level by using a Group Policy Object (GPO).

Configuring Remote Desktop Connection Options
RDC, also known as Mstsc.exe, is the primary client program used to connect to Terminal
Services. The other client program is Remote Desktops, which is available as a snap-in through
Microsoft Management Console (MMC). Through its options tabs, RDC enables you to cus-
tomize a Terminal Services connection within the limitations set at the server or in Group
Policy.
To explore the configuration options available through RDC, open RDC, and then click the
Options button, as shown in Figure 4-1.
182 Chapter 4 Configuring and Managing a Terminal Services Infrastructure
Figure 4-1 Accessing RDC options tabs
This step reveals the six RDC options tabs. The following section describes the features you
can configure on these RDC options tabs.
Q General The General tab, shown in Figure 4-2, enables you to define a target computer
and a set of authentication credentials for the connection. It also enables you to save the
options defined for the connection in an RDP (Remote Desktop) file.
Figure 4-2 RDC General tab
Q Display The Display tab, shown in Figure 4-3, enables you to define the screen resolu-
tion and color bit depth for the TS client window.
Lesson 1: Configuring and Managing Terminal Services Clients 183
Figure 4-3 RDC Display tab
Q Local Resources The Local Resources tab enables you to choose which local resources
(such as the Clipboard, any locally defined printers, and any local drives) should be
made available within the TS session. This tab also enables you to determine the behav-
ior of features such as sounds and keystrokes in the TS session.
The Local Resources tab is shown in Figure 4-4.
Figure 4-4 RDC Local Resources tab
Q Programs This tab enables you to define any program you want to start automatically
when the TS connection begins.
The Programs tab is shown in Figure 4-5.
184 Chapter 4 Configuring and Managing a Terminal Services Infrastructure

Figure 4-5 RDC Programs tab
Q Experience The Experience tab, shown in Figure 4-6, enables you to choose which
optional graphical user interface (GUI) effects you want to display from the terminal
server. For example, the Desktop background and font smoothing features visually
enhance the TS session but can also strain network resources and slow TS client perfor-
mance. Performance settings will be selected automatically, as a suggestion, when you
choose a connection type.
Figure 4-6 RDC Experience tab
Q Advanced The Advanced tab, shown in Figure 4-7, enables you to configure client
behavior for the Server Authentication and Terminal Services Gateway (TS Gateway) fea-
tures. Server Authentication is a feature, native to Windows Vista and Windows Server
Lesson 1: Configuring and Managing Terminal Services Clients 185
2008, through which a terminal server can confirm that its identity is the computer spec-
ified by the TS client. On the Advanced tab, you can configure a TS client to warn, block,
or enable a connection to a server on which Server Authentication has failed.
The Terminal Services Gateway feature enables a TS client to traverse a corporate fire-
wall and connect to any number of terminal servers in an organization. This feature
and its configuration are described in detail in Lesson 2, “Deploying Terminal Services
Gateway.”
Figure 4-7 RDC Advanced tab
Saving RDP Files
After you have defined the desired options for a TS client in RDC, these settings are saved auto-
matically in the Documents folder to a hidden file named Default.rdp. This file contains the
settings used for RDC when you open the program from the Start menu. However, you can
also save TS client configuration settings in custom .rdp files by clicking the Save As button on
the General tab. These .rdp files can then be used to initiate TS sessions with specific client
options (such as server name and authentication information).
Exam Tip On the 70-643 exam, expect to see a question about saving RDC settings in an .rdp
file. Be sure to review the settings on all the RDC options tabs so that you understand the kind of
configuration details that can be saved in such a file.

186 Chapter 4 Configuring and Managing a Terminal Services Infrastructure
Configuring Terminal Services Clients Through Group Policy
Group Policy enables you to enforce settings centrally on users or computers in an Active
Directory environment. As a way to manage many TS clients, you can use a GPO to ensure that
Remote Desktop Connection is always configured with the settings you choose. In many
cases, this is the most efficient and effective way to manage TS clients.
In the Computer Configuration section of a GPO, you can specify client settings such as whether
the passwords should be saved in RDC, whether the client should always be prompted for cre-
dentials, how server authentication should be performed, and which resources should be redi-
rected to the TS session. You can explore these settings in a GPO by browsing to Computer
Configuration\Policies\Administrative Templates\Windows Components\Terminal Services.
In the User Configuration section of a GPO, you can configure settings related to session time
limits, remote control, and the remote session environment. You can explore these settings in
a GPO by browsing to User Configuration\Policies\Administrative Templates\Windows
Components\Terminal Services.
Single Sign-on A particularly useful Terminal Services client feature that you can configure
in Group Policy is Single Sign-on (SSO). In an Active Directory domain environment, you can
use SSO to eliminate the need to enter user credentials when you use RDC to connect to a ter-
minal server. With SSO, instead of prompting for your credentials, RDC automatically uses the
credentials of the user currently logged on to the local computer running Microsoft Windows.
To configure SSO, enable the Allow Delegating Saved Credentials policy setting, which you
can find in Computer Configuration\Policies\Administrative Templates\System\Credentials
Delegation. After enabling the policy, you then need to create in the same policy a server list
that specifies the terminal servers that will accept SSO credentials. Add each server name in
the form TERMSRV/<Your server name>. To enable all terminal servers within the scope of the
policy to accept SSO credentials, you can add the entry TERMSRV/*.
Exam Tip For the 70-643 exam, you need to understand only that Group Policy provides the
best method to enforce a TS or RDC configuration for many users and computers. You do not need
to memorize all the configurable options or where to find them. However, it is still a good idea to
browse through these options to get a sense of the ones that are enforceable in an Active Direc-

tory environment.
Lesson 1: Configuring and Managing Terminal Services Clients 187
Configuring User Profiles for Terminal Services
In general terms, a user profile simply refers to the collection of data that comprises a user’s
individual environment—data including a user’s individual files, application settings, and
desktop configuration. In more specific terms, a user profile also refers to the contents of the
personal folder, automatically created by Windows, that bears the name of an individual user.
By default, this personal folder is created in the C:\Users folder when a user logs on for the
first time to a computer running Windows Vista or Windows Server 2008. It contains subfold-
ers such as Documents, Desktop, and Downloads as well as a personal data file named
Ntuser.dat. For example, by default, a user named StefanR will store the data that makes up his
personal environment in a folder named C:\Users\StefanR.
In a Terminal Services environment, user profiles are stored on the terminal server by default.
This point is important because when many users access the terminal server, profiles are cen-
tralized and can consume a large amount of server disk space. If storage space on the terminal
server is insufficient, plan to store user data and profiles on a disk that is separate from the
operating system installation disk drive. Also consider using disk quotas to limit the amount
of space available to each user. (You can configure disk quotas through the properties of the
drive on the terminal server where the profiles are stored.)
Exam Tip For the 70-643 exam, you need to know you can use disk quotas to limit the size of
user profiles in Terminal Services.
Another way to manage TS user profiles is to configure users with a Terminal Services–specific
roaming user profile that is stored on a central network share. Such a profile is downloaded
to the user’s TS session whenever and wherever such a session is initiated. This TS-specific
roaming user profile can be defined on the Terminal Services Profile tab of a user account’s
properties, as shown in Figure 4-8. Alternatively, you can use Group Policy to define these TS
roaming user profiles. (You can find Terminal Services profile settings in a GPO in Com-
puter Configuration \Policies\Administrative Templates\Windows Components\Terminal
Services\Terminal Server\Profiles. The specific policy setting used to configure TS-specific
roaming user profiles is named Set Path For TS Roaming User Profile.)

188 Chapter 4 Configuring and Managing a Terminal Services Infrastructure
Figure 4-8 Configuring a TS-specific roaming user profile
CAUTION Roaming user profiles and Terminal Services
Ordinary roaming user profiles are those that follow a user as he or she logs on and off from vari-
ous computers in a Windows domain. Ordinary roaming user profiles should not be used for Ter-
minal Services sessions because they can lead to unexpected data loss or corruption. If you have
configured roaming user profiles in your organization, be sure to implement TS-specific user pro-
files as well.
Configuring Home Folders
When a user chooses to save a file, the default path points to a location known as the home
folder. For Terminal Services, the home folder by default is located on the terminal server. How-
ever, it is usually helpful to configure the home folder either on the local disk drive or on a net-
work share. Configuring the home folder in this way ensures that users can locate their saved
files easily. As with TS-specific roaming user profiles, you can define home folder locations for
Terminal Services either in the properties of the user account or in Group Policy. (Home folder
settings for Terminal Services can be found in a Group Policy object in Computer Configuration
\Policies\Administrative Templates\Windows Components\Terminal Services\Terminal
Server\Profiles. The policy setting used to configure home folders is named Set TS User Home
Directory.)
Lesson 1: Configuring and Managing Terminal Services Clients 189
Quick Check
1. Where is the default location of the user profile for a TS user?
2. What is the most efficient way of configuring RDC options for many users in your
organization?
Quick Check Answers
1. On the terminal server
2. Group Policy
Managing Terminal Services User Connections
Terminal Services Manager (TSM) is the main administrative tool used to manage connections
to a terminal server. You can use TSM to view information about users connected to a terminal

server, to monitor user sessions, or to perform administrative tasks such as logging users off
or disconnecting user sessions.
To open TSM from the Start menu, point to Administrative Tools, point to Terminal Services,
and then click Terminal Services Manager. You can also open TSM by typing tsadmin.msc in
the Start Search or Run boxes on the Start menu.
The next section reviews the main management tasks you can perform in TSM and provides
many command-line alternatives for these management tasks. To learn more about using
TSM, be sure to perform the exercises at the end of this lesson.
Exam Tip Although TSM is the main tool used to manage TS user connections, most of the
management functions provided also have command-line equivalents. Be sure to learn the GUI and
command-line versions of all the functions described in this section.
190 Chapter 4 Configuring and Managing a Terminal Services Infrastructure
TSM is shown in Figure 4-9.
Figure 4-9 The Terminal Services Manager console
TSM provides three tabs from which to view and manage Terminal Services connections:
Users, Sessions, and Processes.
Q The Users tab displays information about users connected to the terminal server, infor-
mation such as the currently logged on user accounts, the time of the user’s logon to the
server, and the session status.
To display information about user sessions on a terminal server, you can also use the
Query user or Quser command-line commands.
MORE INFO Use the /? switch for more info
To learn more about any of the command-line tools introduced in this section, simply type
the command at the command prompt with the /? switch. For example, to learn the syntax
for Quser, type quser /?.
Q The Sessions tab provides information about the sessions connected to the terminal
server. Because some sessions are initiated by services or by the operating system, ses-
sions typically outnumber users.
To display information about sessions on a terminal server, you can also use the Query
session command.

Q The Processes tab displays information about which programs each user is running on
the terminal server.
To display information about processes that are running on the terminal server, you can
also use the Query process or Qprocess command.
Lesson 1: Configuring and Managing Terminal Services Clients 191
Managing User Sessions
To manage user sessions in TSM, simply right-click a user shown on the Users tab, and then
select any of the seven command options available on the shortcut menu. Alternatively, you
can select a user, and then click an action available on the Actions menu. Both of these options
are shown in Figure 4-10.
Figure 4-10 The Terminal Services Manager user session commands
The following section describes the seven management options available on the user session
shortcut menu, along with their command-line tool equivalents.
Q Connect You can use the Connect command to reconnect to your own active or discon-
nected user session. (This scenario is possible only when you have configured the termi-
nal server to accept multiple sessions from the same user.) In addition, if you have been
granted the Full Control or Connect special access permission on the server’s RDP-Tcp
connection (configured in the Terminal Services Configuration console), you can also
use this command to connect to the active or disconnected session of another user.
As an alternative to using TSM to connect to a TS client session, you can also use the
Tscon command-line command.
IMPORTANT Using the Connect feature in TSM
You must be connected to the terminal server in a client session to use the Connect feature
in TSM. The feature is disabled in TSM when you are logged on locally to the terminal server.
(A local logon session is also known as a console session.)
192 Chapter 4 Configuring and Managing a Terminal Services Infrastructure
Q Disconnect You can use the Disconnect command in the Actions pane or on the shortcut
menu to disconnect a user from a session. When you disconnect a user from a session,
all the programs and processes running in the session continue to run. Therefore, too
many disconnected sessions can drain terminal server resources and slow server perfor-

mance.
As an alternative to using TSM to disconnect a TS client session, you can also use the
Tsdiscon command-line tool.
Disconnecting another user from a session requires the Full Control or Disconnect spe-
cial access permission on the server’s RDP-Tcp connection.
Q Send Message The Send Message command enables you to send a simple console mes-
sage to a user connected to a terminal server. Use this command, for example, when you
need to warn a user that he or she is about to be disconnected or logged off.
To send a message to a user on a terminal server, you can also use the Msg command-line
tool.
Sending a message to another user in Terminal Services requires the Full Control or Mes-
sage special access permission on the server’s RDP-Tcp connection.
Q Remote Control The Remote Control command enables you to view or control another
user’s TS client session. (You can configure the behavior of the Remote Control feature
in the Terminal Services Configuration console, the Remote Control tab of a user
account’s properties, or in Group Policy.)
You can also use the Shadow command-line tool to control an active session of another
user on a terminal server remotely.
To control another user’s session remotely, you must be assigned the Full Control or
Remote Control special access permission on the server’s RDP-Tcp connection.
IMPORTANT Using the Remote Control feature in TSM
You must be connected to the terminal server in a client session to use the Remote Control
feature in TSM. The feature is disabled in TSM when you are logged on locally to the terminal
server in a console session.
Q Reset Resetting a Terminal Services session deletes that session immediately without
saving any session data. Reset a session only when it appears to have stopped respond-
ing.
You can also use the Rwinsta or Reset session command-line command to reset a user ses-
sion on a terminal server.
Resetting another user’s TS session requires the Full Control access permission on the

server’s RDP-Tcp connection.
Lesson 1: Configuring and Managing Terminal Services Clients 193
Q Status When you right-click a user session shown on the Users tab and then select the
Status command from the shortcut menu, the Status dialog box appears, containing
additional status information about the session. This information includes the TS cli-
ent’s IP address, computer name, and total bytes transmitted during the session. Figure
4-11 shows such a status dialog box.
Figure 4-11 The Terminal Services Manager Status dialog box
To view the status of another user’s session, you must be granted the Full Control or
Query Information special access permission on the server’s RDP-Tcp connection.
Q Log Off Logging off a user ends all user processes and then deletes the session from the
terminal server. If you want to log off a user, send the user a message first. Otherwise, the
user could lose unsaved session data.
Besides using TSM to log off a user, you can also use the Logoff command-line command.
To log off another user from a session, you must have the Full Control permission on the
server’s RDP-Tcp connection.
Ending a TS User Session Process
You can use the Processes tab in TSM to force a particular process in a user session to close.
This might be necessary, for example, if a certain application is hanging in a user session and
is causing a screen freeze. To end a process for this reason or any other, simply right-click the
process in question, and then click End, as shown in Figure 4-12.
194 Chapter 4 Configuring and Managing a Terminal Services Infrastructure
Figure 4-12 Ending a process in a TS user session
To end a process within a terminal services user session, you can also use the Tskill command-
line command.
Quick Check
Q On a terminal server, what is a console session?
Quick Check Answer
Q The console session is the session of the locally logged-on user.
Managing Resources in Client Sessions

You can use the Windows Server Resource Manager (WSRM) feature in Windows Server 2008
to ensure that each client connecting to a terminal server is granted equal access to the server’s
resources. To use WSRM, you must first install it by opening Server Manager, selecting the Fea-
tures node, and then clicking Add Features. You can then use the Add Features Wizard to
select the feature and proceed with the installation. Once the tool is installed, you can access
WSRM through Administrative Tools.
WSRM uses Resource Allocation Policies to determine how computer resources are allocated
to processes running on the computer. At any given time, only one Resource Allocation Policy
is considered the managing policy or the policy in effect.
Lesson 1: Configuring and Managing Terminal Services Clients 195
Four Resource Allocation Policies are built into WSRM, and two are specifically designed for
computers running Terminal Services:
Q Equal_Per_User When this policy is set as the managing policy, available CPU band-
width is shared equally among users. For example, if two users are running multiple
applications that consume 100 percent of the allocated CPU bandwidth, WSRM will
lower the priority of processes run by the user who exceeds 50 percent CPU usage. In this
policy, the number of terminal services sessions owned by each user is not considered.
Q Equal_Per_Session If you implement the Equal_Per_Session resource-allocation policy,
each user session (and its associated processes) gets an equal share of the CPU resources
on the computer. For example, if two users each own two separate user sessions on a ter-
minal server and consume 100 percent of the allocated CPU bandwidth, WSRM will
lower the priority of the processes run in the terminal services session that exceeds 25
percent CPU usage.
In general, you can think of these built-in Resource Allocation Policies in WSRM as a simple
means to ensure that no single user or session consumes more than an equal share of the
server’s available resources. However, you can also use WSRM to create custom Resource Allo-
cation Policies. When you create custom Resource Allocation Policies, you define Process
Matching Criteria that specify services, processes, or applications on the local server. In the
Resource Allocation Policy, you can then allocate a certain amount of CPU or memory
resources to those chosen services, processes, or applications.

Exam Tip You need to understand the Equal_Per_User and Equal_Per_Session Resource Alloca-
tion Policies for the 70-643 exam. You also need to understand the general role that Process
Matching criteria play in a custom Resource Allocation Policy.
PRACTICE Managing Client Connections
In this practice, you will use the TSM console to view, control, and end Terminal Services user
sessions.
 Exercise 1 View Terminal Services Sessions
In this exercise, you will use the TSM console to view Terminal Services sessions from within
a console (local logon) session. This practice requires the use of three separate domain admin-
istrator accounts. In the following steps, these accounts are named ContosoAdmin1,
ContosoAdmin2, and ContosoAdmin3, respectively.
1. Log on to Contoso.com from Server2 as ContosoAdmin1.
2. Open Terminal Services Manager by clicking Start, Administrative Tools, and Terminal
Services and then clicking Terminal Services Manager.
196 Chapter 4 Configuring and Managing a Terminal Services Infrastructure
3. If a Terminal Services Manager message box appears, read all the text, and then click OK.
4. In the console tree, select the Server2 node.
The details pane within the middle portion of the console is named Manage Terminal
Server: server2. This area contains three tabs: Users, Sessions, and Processes.
5. Verify that the Users tab in the center pane is selected, and then answer the following
questions.
How many users are currently connected?
Answer: One
What is the session type associated with the listed user(s)?
Answer: Console
Is this session type associated with a local or remote user?
Answer: Local
6. Right-click the user displayed on the Users tab, and then answer the following ques-
tions.
Which commands are available from the shortcut menu?

Answer: Disconnect, Send Message, and Log Off
Which commands listed on the shortcut menu are not available?
Answer: Connect, Remote Control, Reset, and Status
Why are these commands unavailable?
Answer: Connect and Remote Control cannot be performed from within a console ses-
sion. Reset and Status can be performed only on another user session.
7. Log on to Contoso.com from Server1 as ContosoAdmin2.
8. On Server1, open the Remote Desktop Connection client.
9. In the Computer text box, type server2.contoso.com, and then click Connect.
10. In the Windows Security dialog box, enter the credentials of ContosoAdmin2, and then
click OK. Be sure to type the user account in the form contoso\contosoadmin2.
11. On Server1, minimize the Remote Desktop window.
12. On Server1, open another instance of Remote Desktop Connection.
13. In the Computer text box in Remote Desktop Connection, type server2.contoso.com,
and then click Connect.
14. In the Windows Security dialog box, click Use Another Account.
15. Use the text boxes to enter the credentials of ContosoAdmin3, and then click OK. Be
sure to enter the username in the form contoso\contosoadmin3.
16. Return to TSM on Server2. Refresh the Users tab by clicking Refresh in the Actions pane.
Lesson 1: Configuring and Managing Terminal Services Clients 197
17. Answer the following questions:
How many user sessions are now visible on the Users tab?
Answer: Three
What is the session type associated with the ContosoAdmin2 and ContosoAdmin3
sessions?
Answer: RDP-Tcp
Which two commands are available for the RDP-Tcp sessions that are not available for
the console session?
Answer: Reset and Status
What is the difference between the Reset and Log Off commands?

Answer: Both commands disconnect and end a session. However, the Reset com-
mand deletes a session immediately without logging off the user.
18. Leave all windows open and proceed to Exercise 2.
 Exercise 2 Manage Terminal Services Sessions
In this exercise, you will manage one Terminal Services session from within another. This prac-
tice assumes that you have two active Terminal Services sessions from Server1 to Server2.
1. Return to Server1.
2. In the ContosoAdmin2 Remote Desktop session, open TSM. (You can use the Start
menu to help you distinguish between the two Remote Desktop sessions.)
3. Answer the following question: Which is the only user session on the Users tab that is
designated by a green arrow pointing upward?
Answer: The ContosoAdmin2 user session.
4. On Server1, switch to the ContosoAdmin3 Remote Desktop window. If the screen is
locked, provide credentials so that you can see the Server2 desktop again.
5. Mark the ContosoAdmin3 desktop in some way so that you can recognize it as belong-
ing to ContosoAdmin3. For example, you can save a Notepad file named ADMIN3 on
the desktop.
6. Switch back to the ContosoAdmin2 Remote Desktop window. In TSM, right-click the
ContosoAdmin3 user session, and then click Remote Control.
7. In the Remote Control dialog box, read the entire text, and then click OK.
8. Switch to the ContosoAdmin3 Remote Desktop window.
The Remote Control Request dialog box appears. The dialog box informs you that
ContosoAdmin2 is requesting to control your session remotely and asks you whether
you accept the request.
9. In the Remote Control Request box, click Yes.
198 Chapter 4 Configuring and Managing a Terminal Services Infrastructure
10. Switch back to the ContosoAdmin2 remote desktop session.
The ContosoAdmin3 desktop is now visible in the ContosoAdmin2 session.
11. From the remote control window, perform any action, such as opening Notepad.
ContosoAdmin2 is now able to control the ContosoAdmin3 desktop.

12. Switch to Server2.
13. On the Users tab in TSM, right-click the ContosoAdmin3 session, and then click Log
Off.
14. In the Terminal Services Manager dialog box, click OK to confirm the choice.
The ContosoAdmin3 session is ended. (To see the user session disappear from the list,
you might need to click Refresh.)
15. On the Users tab in TSM, right-click the ContosoAdmin2 session, and then click Discon-
nect.
16. In the Terminal Services Manager dialog box, click OK to confirm the choice.
The ContosoAdmin2 session state changes from Active to Disconnected. (To see this
change, you might need to click Refresh.)
17. Leave all windows open and proceed to Exercise 3.
 Exercise 3 Reconnect to a Disconnected Session
In this exercise, you will reconnect to a disconnected session. You will then attempt a second
connection to the terminal server with the same username and observe the effects.
1. In the TSM console on Server2, click the Sessions tab.
The Sessions tab shows that the ContosoAdmin2 session is disconnected.
2. Click the Processes tab.
The Processes tab shows that many processes from the ContosoAdmin2 session are still
running.
3. Right-click any of the processes listed.
The shortcut menu that appears provides the option to end the process. You can per-
form the same function with the End Process option in the Actions pane on the right
side of the TSM console. You can also perform this function with the Tskill command-
line command.
4. Without choosing to end the process you have selected, switch to Server1.
The Remote Desktop Disconnected message box has appeared, informing you that the
ContosoAdmin2 remote desktop session has ended.
5. In the Remote Desktop Disconnected message dialog box, click OK.
The Remote Desktop Connection window appears on the desktop.

Lesson 1: Configuring and Managing Terminal Services Clients 199
6. Use the Remote Desktop Connection client and the credentials for ContosoAdmin2 to
establish a new connection to Server2 from Server1.
7. Switch to Server2.
8. In the TSM console on Server2, click the Users tab.
Note that the ContosoAdmin2 session is listed as Active again.
9. Switch to Server1.
10. Minimize the current Remote Desktop window on Server1.
11. Open Remote Desktop Connection by using the Start menu.
12. Use the ContosoAdmin2 credentials to attempt to create a second Terminal Services ses-
sion to Server2.
13. Investigate all open windows on Server1 and Server2, and then answer the following
question: Were you able to establish a second simultaneous Terminal Services session to
Server2?
Answer: No. The second connection attempt merely took over the active user ses-
sion, and the first connection was deleted.
14. Switch to Server2.
15. Open the Terminal Services Configuration (TSC) console by clicking Start, Administra-
tive Tools, and Terminal Services and then clicking Terminal Services Configuration.
16. In the center pane of the TSC console, under the Edit Settings – General area, double-
click the Restrict Each User To A Single Session option.
17. In the Properties dialog box, clear the Restrict Each User To A Single Session check box,
and then click OK.
18. If a Terminal Services Configuration error message appears, read the message, and then
click OK.
19. Return to Server1 and once again attempt to establish a second Remote Desktop connec-
tion to Server2 by using the ContosoAdmin2 credentials.
The second Remote Desktop connection is established. In the TSM console on Server2,
if you click Refresh, you can see that two sessions from ContosoAdmin2 are now listed
as Active.

When you enable simultaneous sessions to a computer running Terminal Services, you
leave open the possibility of stranded sessions.
20. On Server2, use TSM to log off the first ContosoAdmin2 session and to reset the second.
21. On Server2, use the TSC console to re-enable the option to restrict each user to a single
session.
22. On both Server1 and Server2, close all open windows and log off all users.
200 Chapter 4 Configuring and Managing a Terminal Services Infrastructure
Lesson Summary
Q You can configure TS client settings at the client by using Remote Desktop Connection
options or at the domain level by using a Group Policy object (GPO).
Q When users connect to a terminal server, their profiles are stored on the remote server by
default. As a result, when many users access the terminal server, profiles can consume a
large amount of disk space. To remedy this, you can use disk quotas.
Q You can manage a TS user profile by configuring a Terminal Services–specific roaming
user profile that is stored on a central network share. This TS-specific roaming user pro-
file can be defined on the Terminal Services Profile tab of a user account’s properties or
in Group Policy.
Q Terminal Services Manager (TSM) is the main administrative tool used to manage con-
nections to a terminal server. You can use TSM to view information about users con-
nected to a terminal server, to monitor user sessions, or to perform administrative tasks
such as logging users off or disconnecting user sessions.
Q You can use Windows System Resource Manager (WSRM) to allocate a terminal server’s
resources equally among users or sessions.
Lesson Review
The following questions are intended to reinforce key information presented in this lesson.
The questions are also available on the companion CD if you prefer to review them in elec-
tronic form.
NOTE Answers
Answers to these questions and explanations of why each answer choice is correct or incorrect are
located in the “Answers” section at the end of the book.

1. TS1 is a server running Windows Server 2008 and Terminal Services. Users in your orga-
nization connect to the server TS1 to run a line-of-business application. Recently, you
have noticed that user profiles are threatening to consume the total disk capacity on TS1.
You want users to be able to save their own data, but you also want to prevent profiles
from exhausting the total storage capacity of the disk on TS1. What should you do?
A. Use Group Policy to assign mandatory profiles to users who connect to TS1.
B. Configure disk quotas for the disk on TS1 on which user profiles are stored.
C. Use Group Policy to assign Terminal Services roaming user profiles to users who
connect to TS1.
D. Configure disk quotas for the local disk of each user who connects to TS1.
Lesson 1: Configuring and Managing Terminal Services Clients 201
2. TS3 is a server running Windows Server 2008 and Terminal Services. You have the
responsibility of supporting users who connect to TS3 to run various applications. Users
complain that the application is responding slowly. You use the quser command on TS3
and discover that many users have multiple disconnected sessions on the server with
idle times of two days or more. You want to reduce the strain on the TS3 by eliminating
disconnected sessions that have been idle for more than two days. What should you do?
A. Use the Rwinsta command.
B. Use the Tsdicon command.
C. Use the Tskill command.
D. Use the Tscon command.
202 Chapter 4 Configuring and Managing a Terminal Services Infrastructure
Lesson 2: Deploying Terminal Services Gateway
Terminal Services Gateway (TS Gateway) enables authorized users to establish connections to
terminal servers located behind a firewall. As simple as this idea sounds, the implications of TS
Gateway are surprisingly important. Before, you had to use a virtual private network (VPN) to
connect to resources on a private network from the Internet. Now, you can connect to even
more resources—including terminal server desktops and published applications—with a tech-
nology that is actually easier to implement.
This lesson introduces you to TS Gateway and then describes how to install, configure, and

use it.
After this lesson, you will be able to:
Q Understand the function of TS Gateway.
Q Install TS Gateway.
Q Configure TS Gateway.
Q Configure Remote Desktop Connection to use TS Gateway.
Estimated lesson time: 50 minutes
Overview of Terminal Services Gateway
TS Gateway is an optional TS component that enables authorized Remote Desktop clients to
establish Remote Desktop Protocol (RDP) sessions between the Internet and Terminal Ser-
vices resources found behind a firewall on a private network. (“Terminal Services resources,”
in this case, refers both to terminal servers and to computers with Remote Desktop enabled.)
As they pass over the Internet, RDP connections to a TS Gateway server are secured and
encrypted by the Secure Sockets Layer (SSL) protocol. A key feature of TS Gateway is that it
enables RDP traffic to stream through corporate firewalls at TCP port 443, which is normally
open for SSL traffic. (By default, RDP traffic communicates over TCP port 3389.)
In a basic TS Gateway deployment, shown in Figure 4-13, a user on a home computer (point
1) connects over the Internet to TS Gateway (point 2) located behind an external corporate
firewall.
Lesson 2: Deploying Terminal Services Gateway 203
Figure 4-13 Basic TS Gateway scenario
The connection from points 1 to 2 is established by means of the RDP protocol encapsulated
in an HTTPS (HTTP over SSL) tunnel. To receive this HTTPS connection in the perimeter
network, the TS Gateway server must be running the Internet Information Services (IIS)
Web server. After receiving the connection, the TS Gateway server then strips away the
HTTPS data and forwards the RDP packets to the destination terminal servers (point 3)
located behind a second, internal firewall. In this scenario, if incoming connections are
allowed or denied to Active Directory accounts, Active Directory Domain Services must be
installed on the TS Gateway.
As an alternative to the basic scenario illustrated in Figure 4-13, you can use Internet Security

and Acceleration (ISA) Server instead of a TS Gateway server to serve as the SSL/HTTPS end-
point for the incoming TS client connection. In this scenario, illustrated in Figure 4-14, ISA
Server (point 2) serves as either an HTTPS-to-HTTPS or an HTTPS-to-HTTP bridge to the TS
Gateway server (point 3), and the TS Gateway server then directs the RDP connection to the
appropriate internal resource (point 4). This method provides the advantage of protecting
Active Directory information within the corporate network.
2
3
3
Internal firewall—
optional
(port 3389 open)
TS Gateway
RDP over SSL
RDP
over SSL
RDP
Computers with
Remote Desktop
enabled
Active Directory
Domain Services
RDP
Terminal servers
1
Home laptop
External firewall
(port 443 open)
Corporate/private
network

Internet